news
Roaming Mantis attack on Android and iOS users
After attacking Germany, Taiwan, South Korea, Japan, the US and the UK, Operation Roaming Mantis next targeted Android and iOS users in France, potentially compromising tens of thousands of devices.
Roaming Mantis attack on Android and iOS users
After attacking Germany, Taiwan, South Korea, Japan, the US and the UK, Operation Roaming Mantis next targeted Android and iOS users in France, potentially compromising tens of thousands of devices.
Roaming Mantis is believed to be a financially motivated threat actor that began targeting European users in February.
In a recently observed campaign, the threat actor uses SMS communications to trick users into downloading malware onto their Android devices. If the potential victim is using iOS, they will be redirected to a phishing page for Apple credentials.
Drop XLoader
In a report published today, researchers from cybersecurity firm SEKOIA say that the Roaming Mantis group is now releasing XLoader (MoqHao) code onto Android devices, a powerful malware that includes features such as remote access, data theft and spamming. Calculates SMS.
Roaming Mantis' ongoing campaign targets French users and begins with a text message sent to new victims asking them to follow a URL.
SMS informs about a package that has been sent to them and they should check it and coordinate its delivery.
If the user is located in France and using an iOS device, they are redirected to a phishing page that steals Apple credentials. Android users are directed to a site that provides the installation file for a mobile app (an Android Package Kit – APK).
For users outside of France, Roaming Mantis servers show a 404 error and the attack stops.
The APK runs and mimics a Chrome installation and requests dangerous permissions such as intercepting SMS, making phone calls, reading and writing storage space, managing system alerts, getting a list of accounts, and more.
The command and control server configuration is read from a page on the imgur website, whose address is fixed in the malware code. Of course, to escape detection, the server address is coded in base64.
SEKOIA confirmed that so far more than 90,000 unique IP addresses have requested XLoader from the main C2 server, so the number of victims may be significant.
The number of iOS users who handed over their Apple iCloud credentials to the Roaming Mantis phishing page is unknown and could be the same or even more.
Infrastructure details
SEKOIA analysts report that the Roaming Mantis infrastructure has not changed much since its last analysis by Team Cymru last April.
The servers still have open ports on TCP/443, TCP/5985, TCP/10081, and TCP/47001, while the same certificates seen in April are still in use.
"Domains used in SMS messages are either registered with Godaddy or use dynamic DNS services such as duckdns.org," SEKOIA explains in the report. »
Interestingly, the smishing operation relies on separate C2 servers from those used by XLoader, and analysts can identify nine of those hosted at EHOSTIDC and VELIANET Autonomous Systems.